[Reprint] Parsing DLL files in Windows---interpretation of classic DLLs

[Reprint] Parsing DLL files in Windows---interpretation of classic DLLs

In the Windows world, there are countless blocks of active continents, and they all have a common name-the dynamic link library. Now walk into these magical activities of the mainland and find out their long hidden secrets!
First glimpse of the doorway: the cornerstone of Windows

Open a system directory casually, you can see a lot of extensions DLL files, these are often said "dynamic link library", DLL is the dynamic link library (that is, "dynamically linked libraries") abbreviation. dynamic-link libraries have been the foundation of this operating system since Microsoft launched its first version of Windows.

1. See what's in the DLL.

Instead of using obscure terminology to solve what a DLL is, let's look at what's in the DLL. DLL and EXE file, which contains the program's binary execution code and programs required resources (such as tags, dialog boxes, strings, etc.), but why put the code inside the DLL, rather than make EXE? In fact, the code in the DLL is in the form of API functions, in layman's terms, the DLL contains the program code has been made into a small module, the application by pressing the required DLL in the specific button, to invoke the function of this button in the DLL. When using a program such as Notepad, if you want to save the file or open the file, the Common file dialog box pops up and the file location is selected. As you can see, this is the common dialog interface that invokes the system's underlying DLLs.

2. Several important DLLs in the system

There are 3 very important underlying DLL:Kernel32.dll, User32.dll, GDI32.dll in Windows. Where Kernel32.dll as the name implies is the kernel-related functions, mainly for the management of memory, processes and threads of functions; The User32.dll contains functions for performing user interface tasks, such as passing a user's mouse clicks to a window so that the window executes the scheduled event according to the user's click. The name of the GDI32.dll is abbreviated to the graphical device Interface (Graphics Device Interface), which contains functions for drawing and displaying text, such as displaying a program window and invoking the function to draw the window.

3. Why to use DLL

Just now, when it comes to this problem, it only explains how the DLL encapsulates the program code into a function. Why is encapsulating a function a reason to use a lot of DLLs in a system?

① Extending the Application

Because DLLs can be dynamically loaded into memory by the application. Therefore, the application can load the DLL into memory when needed, which makes the program more maintainable. For example, QQ video function needs to be upgraded, then the programmer responsible for writing QQ does not have to rewrite all the QQ code, just the video function related DLL files can be rewritten.

② facilitates programmer collaboration

This has little to do with the end user and is for understanding only. We all know that there are many programming tools, such as VB, VC, Delphi, etc., if several people cooperate to write a large program, then there may be some people with VB, some people with VC, each responsible for the part of the programming language is different, exactly put in which compiler to compile it? It's like a group of people from different countries working together to write an article, if they use different languages, how can the article be put together? And with the DLL, you can let the VC programmer write a DLL, and then VB Programmer in the program calls, do not need to compile them all as a separate exe and worry about.

③ Save Memory

If multiple applications invoke the same dynamic-link library, the DLL file is not repeatedly loaded into memory, but is shared by those applications that share the same loaded memory DLL. Just like in an office, where each employee is rarely configured with a water dispenser, a water dispenser is placed in a public location, and all staff who need water can share the water dispenser, reducing costs and saving space.

④ Sharing Program Resources

The DLL file, which includes the Generic file dialog box just mentioned, provides the possibility of sharing resources among applications. A resource can be a program dialog box, a string, an icon, or a sound file.

⑤ Resolving application Localization Issues

After downloading a program of the Chinese package, open the Chinese description, often can see the DLL file in the download package to overwrite the original DLL, the Chinese finished. These programs are the execution code and the application interface are written separately, so the Chinese can simply put the DLL and the program interface related to the Chinese and published.

Thirst for knowledge: Exploring the truth of DLLs

Who knows how many functions in a DLL, and who knows which dll the EXE called? In fact, this problem is not difficult to solve. Tools for analyzing EXE files Dependency Walker (hereinafter referred to as depends, click to download Dependency Walker), today it is a tool for everyone to explore the truth of the DLL.

1. See how many functions are in the DLL

The first step: download and unzip the depends, run the Depends.exe, and then select the menu "File→open" (file → Open), in the File selection box, select the DLL file you want to parse and open, here to choose the QQ directory QQZip.dll.

The second step: in the tree bar on the left side of the program lists the function functions of which other DLLs are used by this DLL (the original DLL can also call other dll^o^), and the two column list on the right shows the function input and output table respectively. The function output table is the total list of functions that the DLL provides to other EXE or DLL calls.

The third step: the function bar of the output table is the name of the output function (see Figure 1), in QQZip.dll found 2 functions: Unzip, Zip. So you can judge the DLL in the QQ program is responsible for compression and decompression tasks.

2. What DLL does the EXE use in the trial?

Or take QQ as an example, open QQ.exe in depends, when the tree list on the left side of the interface shows the list of DLLs called by QQ.exe (see Figure 2), if you expand these DLL branches, you will also find other DLLs, which means that QQ calls these DLL files are also possible ( is almost certain) to call another DLL. It's like buying a new DVD player, probably with a movement that's Sony, and a small capacitor in the movement that could be another company, that's the same thing.

3. Use DLL to see through EXE's true colors

Just got the list of DLLs used by QQ.exe, in fact, through this list, but also can analyze a lot of other information. For example, it contains MFC42.dll, so you can judge that QQ.exe is a VC (that is, Visual C + +) written, and the inclusion of WSOCK32.dll that the program with network communication function (nonsense!). QQ if can not network communication what use ...). Here is a short table, you can analyze the other EXE according to its use of the DLL to make a preliminary assessment of its function.

DLL file name can be determined by the EXE information

MFC42.dll is written using vc5.0/6.0.
Vbrun*.dll "*" represents the digital version number, written using vb3.0/4.0.
MSVBVM50.dll is written using VB5.0, which comes with the DLL on Windows 98 (SE).
MSVBVM60.dll is written using VB6.0, which comes with the DLL on a system such as Windows ME/2000/XP.
ADVAPI32.dll may perform registry operations.
WSOCK32.dll has network communication function.
Ws2_32.dll has network communication function.
WININET.dll has HTTP browsing, download and other functions, the typical example is the browser, download tools.
WINMM.dll has multimedia playback capability.
DDRAW.dll games, advanced image processing tools.
D3d*.dll 3D Games, or animation processing tools.
4.DLL is a big treasure.
In addition to the DLL for the application to call the function, there is another DLL used to save resources, such as the QQ directory of QQRes.dll, opened with depends and found that there is no output function, is it a chicken ribs dll? However, instead of using the Resource tool resource Hacker (: http://www.onlinedown.net/soft/12420.htm) to open this DLL, it is found that the original saved so many QQ resources, including icons, music, pictures, strings, dialog box ...

Inquisitive: The Fable of DLL
DLL caused by the fault is very common, why can cause failure? How to solve the trouble? Hush ~ Eavesdrop on the DLL conversation and you'll understand.

1. Talk about interface compatibility from porters

On the Windows site, there is a contractor named EXE, who has a lot of construction workers called DLLs. There is a special responsible for handling the DLL (called "Porter a"), each time the need to carry cement, contractor EXE as long as he shouted: "Come!" Move. ”

After a period of time, Porter a felt that his efficiency is too low, so from the original 1 bags of cement changed to each move 3 bags of cement. Improved the handling method, EXE contractor still every time just shouted: "Come!" Move. "But I don't know Porter A has changed the way of handling.

But after a while, contractor EXE to the porter A to dismiss, from other sites to find another DLL (called "Porter B"). When the porter was on another site, it was very fast to carry things, so contractor EXE decided to "upgrade" the handling work. But when it really started working, contractor found out the problem ... Now, no matter how many times you say "Come!" Move. "This new Porter, B, doesn't know what to move."

In the above example, porter a improves the handling method, but EXE calls its method is still unchanged, this is the principle of DLL upgrade, improve the internal implementation method, but the calling interface is unchanged, so that EXE file does not follow the upgrade, you can call the new version of the DLL. and Porter B's story shows that no matter how efficient the new version of the DLL, if the interface (can be understood as the output of the DLL in the name of the function) and the original inconsistency, then EXE does not know and can not invoke it.

2. Registering the identity card DLL

In the system failure, many are due to DLL files are not registered, such as the Windows XP compressed folder function failure is likely to be in the system directory Zipfldr.dll is not registered, the solution of this type of failure is mostly to run the following command:

regsvr32 DLL file name

Many people do not understand why this is done, is not all DLLs can do this?

In fact, there are two types of DLLs in the system, one is not required to register to use, the other is the system must be logged in (that is, registration) to use. It's like a temp, and it's the same as a long-term contractor on the employee list. How can you differentiate between these two DLLs? The method is very simple, with just depends open this DLL, also look at the function output table, if it contains the following two functions (the former is registered DLL, the latter is an anti-registration DLL), then must be registered to use the DLL.

DllRegisterServer

DllUnregisterServer

The regsvr32 command, in effect, is to call these two functions in the DLL (the DllUnregisterServer anti-registration function is called by the "regsvr32/u DLL file name").

3. The secret of the plugin DLL

Winamp, Foobar 2000 and many other software have plug-in features, download a DLL from the Internet in the plug-in directory to allow the program to support the new features, how is this done? Take the popular broadcast software "Chin listening" for example.

"Chin Listening" plug-in directory in the Software installation directory under the Addin subdirectory, the program's plug-in directory will generally be "Plugins", "Addin" to name. In the "Thousands of listening" plug-in directory has many DLL files, such as Tt_asf.dll, Tt_rm.dll, etc., from the file name can be seen that these DLLs are used to enable this player to support a variety of different types of audio files. Similarly, by opening these files with depends, you will find that the output function table for these files includes the same function: Ttpgetsoundaddin.

This is the secret of the plug-in, the various support plug-in function of the program at the time of release, will also publish a plug-in protocol, the Protocol specifies that the program will call the plug-in DLL must contain the function name and related parameter rules, Third-party plug-in programmers then write the plugin of this program to write the DLL's output function according to the standard of the plugin.
① for plug-ins Tt_asf.dll

Ttplayer.exe ("Chin listening" main program) to Tt_asf.dll said: "I want to call your Ttpgetsoundaddin function!" ”

Tt_asf.dll replied: "OK. ”

② If you put an unrelated DLL in the addin directory

Ttplayer.exe said to the unknown DLL: "I'm going to call your Ttpgetsoundaddin function!" ”

Tt_asf.dll replied, "What is that function?" Never heard of it! ”

[Reprint] Parsing DLL files in Windows---interpretation of classic DLLs